|
1 | 1 | --- |
2 | | -title: Remove Microsoft Sentinel | Microsoft Docs |
3 | | -description: How to delete your Microsoft Sentinel instance. |
4 | | -author: yelevin |
5 | | -ms.topic: conceptual |
6 | | -ms.date: 07/05/2023 |
7 | | -ms.author: yelevin |
| 2 | +title: Remove Microsoft Sentinel from your workspace |
| 3 | +description: Learn how to delete your Microsoft Sentinel instance. |
| 4 | +author: cwatson-cat |
| 5 | +ms.topic: how-to |
| 6 | +ms.date: 03/06/2024 |
| 7 | +ms.author: cwatson |
8 | 8 | --- |
9 | 9 |
|
10 | 10 | # Remove Microsoft Sentinel from your workspace |
11 | 11 |
|
12 | | -If you no longer want to use Microsoft Sentinel, this article explains how to remove it from your workspace. |
| 12 | +If you no longer want to use Microsoft Sentinel, this article explains how to remove it from your Log Analytics workspace. Review the implications of removing Microsoft Sentinel before you complete these steps. |
13 | 13 |
|
14 | | -## How to remove Microsoft Sentinel |
| 14 | +## Remove Microsoft Sentinel |
15 | 15 |
|
16 | | -Follow this process to remove Microsoft Sentinel from your workspace: |
| 16 | +Complete the following steps to remove Microsoft Sentinel from your Log Analytics workspace. |
17 | 17 |
|
18 | | -1. From the Microsoft Sentinel navigation menu, under **Configuration**, select **Settings**. |
| 18 | +1. For Microsoft Sentinel in the [Azure portal](https://portal.microsoft.com), under **Configuration**, select **Settings**. |
19 | 19 |
|
20 | | -1. In the **Settings** pane, select the **Settings** tab. |
| 20 | +1. On the **Settings** page, select the **Settings** tab. |
21 | 21 |
|
22 | | -1. Locate and expand the **Remove Microsoft Sentinel** expander (at the bottom of the list of expanders). |
| 22 | +1. At the bottom of the list, select **Remove Microsoft Sentinel**. |
23 | 23 |
|
24 | 24 | :::image type="content" source="media/offboard/locate-remove-sentinel.png" alt-text="Screenshot to find the setting to remove Microsoft Sentinel from your workspace."::: |
25 | 25 |
|
26 | | -1. Read the **Know before you go...** section and the rest of this document carefully, making sure that you understand the implications of removing Microsoft Sentinel, and that you take all the necessary actions before proceeding. |
| 26 | +1. Review the **Know before you go...** section and the rest of this document carefully. Take all the necessary actions before proceeding. |
27 | 27 |
|
28 | | -1. Before you remove Microsoft Sentinel, please mark the relevant checkboxes to let us know why you're removing it. Enter any additional details in the space provided, and indicate whether you want Microsoft to email you in response to your feedback. |
| 28 | +1. Select the appropriate checkboxes to let us know why you're removing Microsoft Sentinel. Enter any other details in the space provided, and indicate whether you want Microsoft to email you in response to your feedback. |
29 | 29 |
|
30 | 30 | 1. Select **Remove Microsoft Sentinel from your workspace**. |
31 | 31 |
|
32 | | - :::image type="content" source="media/offboard/remove-sentinel-reasons.png" alt-text="Screenshot to remove the Microsoft Sentinel solution from your workspace and specify reasons."::: |
| 32 | + :::image type="content" source="media/offboard/remove-sentinel-reasons.png" alt-text="Screenshot that shows the section to remove the Microsoft Sentinel solution from your workspace."::: |
33 | 33 |
|
34 | 34 | ## Consider pricing changes |
35 | | -When Microsoft Sentinel is removed from a workspace, there may still be costs associated with the data in Azure Monitor Log Analytics. For more information on the effect to commitment tier costs, see [Simplified billing offboarding behavior](enroll-simplified-pricing-tier.md#offboarding-behavior). |
| 35 | +When Microsoft Sentinel is removed from a workspace, there might still be costs associated with the data in Azure Monitor Log Analytics. For more information on the effect to commitment tier costs, see [Simplified billing offboarding behavior](enroll-simplified-pricing-tier.md#offboarding-behavior). |
| 36 | + |
| 37 | +## Review implications |
| 38 | + |
| 39 | +It can take up to 48 hours for Microsoft Sentinel to be removed from the Log Analytics workspace. Data connector configuration and Microsoft Sentinel tables are deleted. Other resources and data are retained for a limited time. |
| 40 | + |
| 41 | +Your subscription continues to be registered with the Microsoft Sentinel resource provider. But, you can remove it manually. |
| 42 | + |
| 43 | +### Data connector configurations removed |
| 44 | + |
| 45 | +The configurations for the following data connector are removed when you remove Microsoft Sentinel from your workspace. |
| 46 | + |
| 47 | +- Microsoft 365 |
| 48 | + |
| 49 | +- Amazon Web Services |
| 50 | + |
| 51 | +- Microsoft services security alerts: |
| 52 | + |
| 53 | + - Microsoft Defender for Identity |
| 54 | + - Microsoft Defender for Cloud Apps including Cloud Discovery Shadow IT reporting |
| 55 | + - Microsoft Entra ID Protection |
| 56 | + - Microsoft Defender for Endpoint |
| 57 | + - Microsoft Defender for Cloud |
| 58 | + |
| 59 | +- Threat Intelligence |
| 60 | + |
| 61 | +- Common security logs including CEF-based logs, Barracuda, and Syslog. If you get security alerts from Microsoft Defender for Cloud, these logs continue to be collected. |
| 62 | + |
| 63 | +- Windows Security Events. If you get security alerts from Microsoft Defender for Cloud, these logs continue to be collected. |
| 64 | + |
| 65 | +Within the first 48 hours, the data and analytics rules, which include real-time automation configuration, are no longer accessible or queryable in Microsoft Sentinel. |
| 66 | + |
| 67 | +### Resources removed |
| 68 | + |
| 69 | +The following resources are removed after 30 days: |
| 70 | + |
| 71 | +- Incidents (including investigation metadata) |
| 72 | + |
| 73 | +- Analytics rules |
| 74 | + |
| 75 | +- Bookmarks |
| 76 | + |
| 77 | +Your playbooks, saved workbooks, saved hunting queries, and notebooks aren't removed. Some of these resources might break due to the removed data. Remove those resources manually. |
| 78 | + |
| 79 | +After you remove the service, there's a grace period of 30 days to re-enable Microsoft Sentinel. Your data and analytics rules are restored, but the configured connectors that were disconnected must be reconnected. |
| 80 | + |
| 81 | +### Microsoft Sentinel tables deleted |
| 82 | + |
| 83 | +When you remove Microsoft Sentinel from your workspace, all Microsoft Sentinel tables are deleted. The data in these tables aren't accessible or queryable. But, the data retention policy set for those tables applies to the data in the deleted tables. So, if you re-enable Microsoft Sentinel on the workspace within the data retention time period, the retained data is restored to those tables. |
| 84 | + |
| 85 | +The tables and related data that are inaccessible when you remove Microsoft Sentinel include but aren't limited to the following tables: |
| 86 | + |
| 87 | +- `AlertEvidence` |
| 88 | +- `AlertInfo` |
| 89 | +- `Anomalies` |
| 90 | +- `ASimAuditEventLogs` |
| 91 | +- `ASimAuthenticationEventLogs` |
| 92 | +- `ASimDhcpEventLogs` |
| 93 | +- `ASimDnsActivityLogs` |
| 94 | +- `ASimFileEventLogs` |
| 95 | +- `ASimNetworkSessionLogs` |
| 96 | +- `ASimProcessEventLogs` |
| 97 | +- `ASimRegistryEventLogs` |
| 98 | +- `ASimUserManagementActivityLogs` |
| 99 | +- `ASimWebSessionLogs` |
| 100 | +- `AWSCloudTrail` |
| 101 | +- `AWSCloudWatch` |
| 102 | +- `AWSGuardDuty` |
| 103 | +- `AWSVPCFlow` |
| 104 | +- `CloudAppEvents` |
| 105 | +- `CommonSecurityLog` |
| 106 | +- `ConfidentialWatchlist` |
| 107 | +- `DataverseActivity` |
| 108 | +- `DeviceEvents` |
| 109 | +- `DeviceFileCertificateInfo` |
| 110 | +- `DeviceFileEvents` |
| 111 | +- `DeviceImageLoadEvents` |
| 112 | +- `DeviceInfo` |
| 113 | +- `DeviceLogonEvents` |
| 114 | +- `DeviceNetworkEvents` |
| 115 | +- `DeviceNetworkInfo` |
| 116 | +- `DeviceProcessEvents` |
| 117 | +- `DeviceRegistryEvents` |
| 118 | +- `DeviceTvmSecureConfigurationAssessment` |
| 119 | +- `DeviceTvmSecureConfigurationAssessmentKB` |
| 120 | +- `DeviceTvmSoftwareInventory` |
| 121 | +- `DeviceTvmSoftwareVulnerabilities` |
| 122 | +- `DeviceTvmSoftwareVulnerabilitiesKB` |
| 123 | +- `DnsEvents` |
| 124 | +- `DnsInventory` |
| 125 | +- `Dynamics365Activity` |
| 126 | +- `DynamicSummary` |
| 127 | +- `EmailAttachmentInfo` |
| 128 | +- `EmailEvents` |
| 129 | +- `EmailPostDeliveryEvents` |
| 130 | +- `EmailUrlInfo` |
| 131 | +- `GCPAuditLogs` |
| 132 | +- `GoogleCloudSCC` |
| 133 | +- `HuntingBookmark` |
| 134 | +- `IdentityDirectoryEvents` |
| 135 | +- `IdentityLogonEvents` |
| 136 | +- `IdentityQueryEvents` |
| 137 | +- `LinuxAuditLog` |
| 138 | +- `McasShadowItReporting` |
| 139 | +- `MicrosoftPurviewInformationProtection` |
| 140 | +- `NetworkSessions` |
| 141 | +- `OfficeActivity` |
| 142 | +- `PowerAppsActivity` |
| 143 | +- `PowerAutomateActivity` |
| 144 | +- `PowerBIActivity` |
| 145 | +- `PowerPlatformAdminActivity` |
| 146 | +- `PowerPlatformConnectorActivity` |
| 147 | +- `PowerPlatformDlpActivity` |
| 148 | +- `ProjectActivity` |
| 149 | +- `SecurityAlert` |
| 150 | +- `SecurityEvent` |
| 151 | +- `SecurityIncident` |
| 152 | +- `SentinelAudit` |
| 153 | +- `SentinelHealth` |
| 154 | +- `ThreatIntelligenceIndicator` |
| 155 | +- `UrlClickEvents` |
| 156 | +- `Watchlist` |
| 157 | +- `WindowsEvent` |
36 | 158 |
|
37 | | -## What happens behind the scenes? |
38 | | - |
39 | | -When you remove the solution, Microsoft Sentinel takes up to 48 hours to complete the first phase of the deletion process. |
40 | | - |
41 | | -After the disconnection is identified, the offboarding process begins. |
42 | | - |
43 | | -**The configuration of these connectors is removed:** |
44 | | -- Office 365 |
45 | | - |
46 | | -- AWS |
47 | | - |
48 | | -- Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (*formerly Microsoft Cloud App Security*) including Cloud Discovery Shadow IT reporting, Microsoft Entra ID Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (*formerly Azure Defender*) |
49 | | - |
50 | | -- Threat Intelligence |
51 | | - |
52 | | -- Common security logs (including CEF-based logs, Barracuda, and Syslog) (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.) |
53 | | - |
54 | | -- Windows Security Events (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.) |
55 | | - |
56 | | -Within the first 48 hours, the data and analytics rules (including real-time automation configuration) will no longer be accessible or queryable in Microsoft Sentinel. |
57 | | - |
58 | | -**After 30 days these resources are removed:** |
59 | | - |
60 | | -- Incidents (including investigation metadata) |
61 | | - |
62 | | -- Analytics rules |
63 | | - |
64 | | -- Bookmarks |
65 | | - |
66 | | -Your playbooks, saved workbooks, saved hunting queries, and notebooks are not removed. **Some may break due to the removed data. Remove those manually.** |
67 | | - |
68 | | -After you remove the service, there is a grace period of 30 days to re-enable the solution. Your data and analytics rules will be restored, but the configured connectors that were disconnected must be reconnected. |
69 | | - |
70 | | -> [!NOTE] |
71 | | -> If you remove the solution, your subscription will continue to be registered with the Microsoft Sentinel resource provider. **You can remove it manually.** |
| 159 | +## Next steps |
72 | 160 |
|
| 161 | +In this document, you learned how to remove the Microsoft Sentinel service. If you change your mind and want to install it again, see [Quickstart: Onboard Microsoft Sentinel](quickstart-onboard.md). |
73 | 162 |
|
74 | | -## Next steps |
75 | | -In this document, you learned how to remove the Microsoft Sentinel service. If you change your mind and want to install it again: |
76 | | -- Get started [on-boarding Microsoft Sentinel](quickstart-onboard.md). |
|
0 commit comments